The Austrian student organisation europe-v-facebook.org announced last week that it is preparing to bring 22 of its complaints to the Irish Data Protection Authority concerning Facebook Ireland to the courts.

It all began, when the group complained to the Office of the Data Protection Commissioner (ODPC) about facebook criticising a violation of data protection rights and best practices by Facebook. The Authority then not only handled the complaints but even engaged in a full investigation and initiated an “Audit”. The parties, the ODPC and Facebook, seemed to take the “Audit” seriously. Deputy Commissioner, Gary Davis, who led the Audit, described the proceedings as “while often robust on both sides, at all times constructive with a collective goal of compliance with data protection requirements”.

The outcome of these negotiations were interpreted quite diversely. While the ODPC found “that the great majority of the recommendations have been fully implemented to the satisfaction of this Office”, other voices found less sweet words. First among them is europe-v-facebook.org. Nevertheless, they had to concede that “the Audit has led to many achievements” and that “the work by the Irish Authority has led to many important steps in the right direction, which we very much honour”, Max Schrems, speaker of the group stated.

However, the devil seems to hide in the detail. In a statement, europe-v-facebook.org doubts that the agency in some instances independently verified Facebook’s claims “or if they blindly trusted facebook”. As an example the group pointed out the data security. In this point the ODPC was assisted by an external expert. The student organisation says that this expert relied on unproven statements. They quote him as saying that if Facebook has implemented the features it has submitted, Facebook would be secure. But according to them those features were never independently tested. What’s more, the group quotes the expert saying that “since there have not been widely reported data breaches at Facebook, there is no reason to question the security.” Mr Schrems of europe-v-facebook.org compares that to an engineer saying that since he has not read about a particular bridge collapsing, it must be safe.

They had to deal with a whole armada of lawyers from Facebook.

—Max Schrems, Spokesman of europe-v-facebook.org

What’s more there is criticism of the legal knowledge of the Authority and it’s interpretation of European data protection law. According to Schrems it often is contrary to the rest of the EU’s interpretation. But he also expressed understanding for the ODPC’s situation: “They had to deal with a whole armada of lawyers from Facebook”.

However, the Austrian privacy advocates are not alone with their discontent. The Independent Centre for Data Protection of Schleswig-Holstein (Landeszentrum für Datenschutz Schleswig-Hollstein), an independent German government agency for data protection, heavily criticised the Audit. They explicitly pointed out that the whole Audit did not check the legal conformity of any of Facebook’s actions. In a statement, the German government agency said that it cannot understand why their Irish colleagues came to the conclusion “that the great majority of the recommendations have been fully implemented to the satisfaction of this Office”. From the German authority’s point of view major points of criticism were either ignored or not disproved satisfactorily. According to them, the Irish ODPC must have been aware of this. As an example they name the chat monitoring, which was conceded by the Irish Data Protection Commissioner to be illegal. That chat monitoring was initiated during the time the Audit took place. According to the German authorities, Facebook until this day is refusing to change it.

Related Articles

While facebook is been dragged to court already in the US and is under legal fire from state agencies in Germany, it now may have to prepare for lawsuits in an Irish forum. The financial risk is enormous, Schrems says that to appeal any decision by the ODPC this risk may range from 100,000 euro to 300,000 euro plus expenses for a court case. Still, the Austrians felt that they have to take their chances, hoping for a decision that might change social media once and for all. “If we get these things before the courts, it is very likely that it goes all the way to the European Court of Justice. Such a case would be a landmark for the whole IT industry, equally to the anti-trust cases against Microsoft,” Mr Schrems said. In order to have a chance to get the court to decide on those complicated issues the organisation has launched a “crowd funding” platform to gather donations.